[Opendnssec-user] Issues Migrating Keys

Fri, 13 Sep 2019 08:13:39 -0700 

Hello,

We are migrating SoftHSM keys between servers (so that we can migrate our zone 
signing to a new server)

Old server versions:
$ softhsm --version
1.3.5
$ ods-enforcerd version
OpenDNSSEC ods-enforcerd started (version 1.4.8.2), pid 32735

New server version
$ softhsm2-util --version
2.1.0
$ ods-enforcer --version
opendnssec version 2.1.1

I have successfully exported the keys  from the old server with:
$ softhsm --export tld-257.pem --id 5edbd7c17a7a2935859aad429876c1c8 --slot 0 
--pin 1234 --file-pin 4321
$ softhsm --export tld-256.pem --id 8c74f7310af7073736fdb3ffb653bed5 --slot 0 
--pin 1234 --file-pin 4321

I have successfully imported the keys to the new server with:
$ softhsm2-util --import tld-257.pem --id a257 --slot 0 --pin 1234 --label 
"SoftHSM" --file-pin 4321
The key pair has been imported.
$ softhsm2-util --import tld-256.pem --id a256 --slot 0 --pin 1234 --label 
"SoftHSM" --file-pin 4321
The key pair has been imported.

I can verify that OpenDNSSEC can see the keys with:
$ ods-hsmutil list

Listing keys in all repositories.
2 keys found.

Repository            ID                                Type
----------            --                                ----
SoftHSM               a257                              RSA/2048
SoftHSM               a256                              RSA/1024

The issue comes when trying to import the key to Opendnssec to start signing 
the zone with them

I'm issuing the  following commands, and they keep returning that the key 
cannot be found with the locator:
$ ods-enforcer key import --cka_id a257 -r SoftHSM -z tld --bits 2048 
--algorithm 8 --keystate active --keytype KSK --inception_time 
2019-09-13-00:00:00
Unable to find the key with this locator: a257
$ ods-enforcer key import --cka_id a256 -r SoftHSM -z tld --bits 1024 
--algorithm 8 --keystate active --keytype ZSK --inception_time 
2019-09-13-00:00:00
Unable to find the key with this locator: a256

Is there something I'm missing here, they keys exist in the Repository, and 
ods-hsmutil list returns them, however when importing to use for the zone it 
continues to indicate that it cannot find the keys.

Any help would be appreciated.

Alain Baxter,
Sr DevOps Specialist
Canadian Internet Registration Authority

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to